Continuing with my previous post, one of the biggest security holes I have noticed in certain application is using unsecure Network I/O communication, especially when activating license. I have seen software where they have used the best tool to obfuscate the code, it is extremely hard to disassemble this. But lose out by invoking a web service with plaintext xml for registration and communication. Like I mentioned in my previous post, I am not going to be discussing on how to solve this problem.

I have seen applications which would have a trial period after which the application pops-up a dialog box for activating license. Only if license text matches the format criteria (like xxx-xx-xxxx-xx) the send button enables. To circumvent the disabled button, some of the smart developers could enable the button within the debugger (windbg /cdb) or using a something like HawkEye . This is the first line of defense for the application.

The next thing is launching something like Fiddler and checking out the web service request /response for the activation request. I am sure most of us have dealt with fiddler, and if you are not aware, fiddler gives an option to have a break-point on response from the server. So it is easy to do a Man-in-the-middle attack by injecting your own response or someone could even hack the lmhost file to act as a server.

And just because it is plain text, I have usually seen a bool variable in the response being activated or not. And it is not hard for someone to update the response text and pass it as a response back from the server.

The updated xml might not comply with the response expected by the application, it might throw an exception like this

0:020> !pe

Exception object: 045b4314

Exception type: System.Xml.XmlException

Message: Unexpected end of file while parsing Test has occurred. Line 13, position 81.

InnerException: <none>

StackTrace (generated):

<none>

StackTraceString: <none>

HResult: 80131940

Because it is xml, usually these applications end up using XmlTextReader to parse it and from the exception someone could figure out what element is expected and build the xml out of this. FYI the XmlTextReader library is usually never obfuscated.

The idea behind this post is to let the dev’s understand the security risks and someone with little advanced knowledge can exploit the holes. This is not just applicable for software piracy, but in general, especially with the RIA growing rapidly we would want to consider the security aspect also.

Share this:

Like this:

I got to see this amazing video on Pivot from Gary Flake. Pivot is about visualizing data. It’s primarily for visualizing patterns and trends. What other way I would use other than analyzing managed memory using pivot. I spend a lot of time in windbg to look at memory for patterns, analyzing memory leaks. And I also know not many of them want to learn the arcane commands of windbg. So I went ahead took the data from managed memory and ported it in to pivot format , which is cxml. I use the “!Traverseheap –xml” command from sos to generate the xml ,which I port it to cxml format.My initial thought was use dgml to visualize the data, but pivot is way better. Pivot can only be used in Vista+ OS.

FYI I know this is not for everyone, there are geeks who wouldn’t want to look at memory in a visual format, they prefer looking at in cdb. I took Facebook Silverlight client app and got a snapshot of the memory for this demonstration

The few things that can be done with this are

Drill down objects by type with just one click : What I mean by this is , you could probably have 6000 odd types of objects and not instances (instances could be in thousands), but if you wanted to look at all the instance of customer objects , it is as easy as one click from the filter.

Here is an example of filtering securitypermission objects in memory

Drill down members: The objects members can be looked up. So if you are looking at the customer object then you can view strings, ints and all its members. It WILL NOT have the value for these members. It is not provided by the traverseheap command

Filter objects by namespace– All the objects belonging to namespaces can be drilled down.

The above code converts the xml format from !traverseheap to pivot xml format. This is CPU intensive and I have not profiled and fine tuned it. I use plinq for conversion primarily because I have quad-core box. I use pictures from powerpoint for visualizing objects and I also wrote SplitEx method to avoid splitting namespaces that are part of the type name within generics “GenericEqualityComparer`1[[System.String, mscorlib]]”

And here is the command to get the xml input for the above code as input

Like this:

I am sure there are quite a few blog posts that advocate on not set debug=true in production code. The reason being the optimization and performance are turned off. In this blog post I am specifically going to demonstrate how the lifetime of a variable would be extended based on this setting by the JIT Compiler. The JIT compiler explicitly extends the lifetime of the local variables until the end of the method, which might not be required because it is not being used anymore.

In the above sourcecode I have created a new instance of customer and I am not referring it anywhere after that. I am explicitly invoking GC.Collect so that the objects that aren’t in scope would be collected.

I have compiled this code within VS.NET using the default setting, which essentially is the debug mode. And here is the output after disassembling it, which adds the Debuggable attribute to the assembly

Notice the change we don’t see the variable “c” of type Customer anymore after the GC.Collect in the release mode. The reason behind this is, in debug mode ,the JIT Compiler explicitly extended the lifetime of the local variable to the end of the method and where as in release mode it does not do it.

Share this:

Like this:

IntelliTrace is one of the best things in Visual Studio 2010. You can do “time travel” through your managed code. John Robbins has cool cool blog post on the working on IntelliTrace. I knew I could use IntelliTrace in field where the customer does not have VS.NET. To use in field ,I had to figure out the dependencies for IntelliTrace. So I fired up Windbg attached to the IntelliTrace process which would dump the all the modules loaded

When i tried to open the “C:\Users\naveen\AppData\Local\Microsoft\VisualStudio\10.0\TraceDebugger\Settings\aoqsbu4g.fpj”, I got this error

So I went to the directory and just made a copy of the file and then I was able to open the file. It was a xml file which contains most of the settings. It is collection plan settings file. The things that I updated in this file were <LogFileDirectory useDefault=”false”>C:\temp\</LogFileDirectory> and <DeleteLogOnExit>false</DeleteLogOnExit> for my test run. There are lot of settings in this file, which can be tweaked based on need,do explore this file.

With all this information, the next thing was to get a clean Installation of Windows without VS.NET, good thing I had my laptop which had that. So I copied the required dependencies mentioned above along with a simple test.exe which I used for figuring out Watson Buckets and here are the contents of the directory

Unhandled Exception: System.NullReferenceException: Object reference not set to
an instance of an object.
at WatsonTest.Test.Main(String[] args)
Process exited with exit code -532462766.
Process execution time: 5097 ms
Logger name is ‘c__temp_9ce6b8f1-19a5-44b7-909d-512a4c74e632.itrace’
Stopping logger

That’s cool. I was able to trace it without VS.NET on the box and I brought the trace file back to dev machine I was able load it up in VS.NET and could see stacks. And also from the above output I figured out there are other undocumented command line options.

Like this:

I wanted to understand about UnhandledExceptions in .NET because of the few questions that I saw in the CLR Forum ,which had watson buckets in the event viewer. To get deep understanding unhandled exception filter there is a article on MSDN from CLR Team.

In this post I will be demonstrating how to get the Watson Bucket from within your code . FYI this is the same information you can get !WatsonBuckets from sos within Windbg whenever there is a termination of the .NET process. !WatsonBuckets is undocumented. I am using the CLR hosting interfaces to get the watson bucket. Here is the code that throws an unhandled exception and invokes clr to get watson bucket info.

In the above code WatsonBuckets is a structure to get watson bucket information back from CLR. In the code I use 3 hosting interfaces, IClrRuntimeHost which is the main interface, the next interface is IClrControl which has GetCLRManager method to get ErrorReportingManger. IClrErrorReportingManager which has the method to get the exception buckets which is GetBucketParametersForCurrentException. I know that there isn’t going to be much of use for this code. But it gives me better understanding of CLR integrates with watson when ever there is termination of an application.

Like this:

With the latest release of sosex comes a new set of functions to debug. It is pretty awesome that one person (Steve) alone could pull of such cool things. In this blog post, I am just going to demonstrate how easy it is to debug managed code using sosex compared to sos.

Notice the dict object is in the 8th offset . To dump contents dict object I would use the command !do poi(0000000002761e20+8) , which is pointer deference of Test object on it is 8th offset. And here is the output

And the dictionary object in turn stores them within an array which is again the 8th offset. This time because we know it is an array we are going to use the !dumparray command on the memory location. The command to get the details is

Now lets try and do the same thing using sosex. The one thing that I really like about the new sosex is that I can use names rather than pointer deference which is way much easier. Launched the app and then loaded sosex using the command

.load F:\Work\Tools\debuggers\sosex.dll

and then switched the thread from 4th to 0th thread using ~0s. By default the debugger injects a thread into the process for debugging and that was the 4th thread. The next command I issued was to get stack trace

FYI the command !mk has been part of sos from the initial version. I am interested in only looking at the code that I wrote so I would like to move stack frame to 0c which is MemCheck.Test.Main . To do that the command is !mframe 0c, which moves to that stackframe. The reason to move the particular stack frame is to look for variables in the stack and the command to variables is !mdv , which display managed local variables

I didn’t have to get memory address , I am using the names which is very intuitive ,especially when we have to debug large application with N levels of nesting.So to get the dict values from p the command to issue is !mdt -e p.dict

Here is the partial output. Notice I never had to use a memory pointer or do a pointer deference .This is very similar to VS.NET debugging where I am used to the variable names compared the memory address. Thanks to Steve for providing such a cool extension.

This is going to be a series of posts where I am going to demonstrating how someone with little advanced knowledge in .NET can hack in to the code, and circumventing licensing logic. I know there are other ways to prevent this ,which I am not going to be discussing about.

The usual assumption is that, if the code is obfuscated and signed , then it is close to impossible for someone to hack in to the code because the method names and variables are jumbled up, which would prevent someone from figuring what is happening.

In this post I am going to demonstrate a simple application which would prevent the user from updating the DataGrid because the user had downloaded only a trial version of the software. The software was supposed to disable grid and prevent the consumer from adding or updating the existing data, in a trial version. This was customer case, whom I helped in figuring out the vulnerability.

Here is the list of things the software did to prevent users from not accessing features that they were not entitled to

Obfuscated the code, that prevented the code from being disassembled.

The code that validated the consumers role either paid / trial alone was maintained in a separate assembly .So that for trial consumer’s, assembly version always returned false, for key features and for the paid subscribers got the assembly version that would return true. The organization assumption was ,by not even having the assembly ,trial users would never be able to circumvent the licensing logic. The customer could not maintain two versions of entire software, one for the trial another one paid because of the cost involved in maintenance and that’s the driving factor behind having a separate assembly.

The code was signed and this prevented the users from hacking into the code and changing the code.

So the idea behind this was, the trial version user would always get false as response, and would never be able to hack, because consumer does not even have library that would return true.

So I was asked to check for vulnerabilities. The first step was to disassemble the code using reflector and you can imagine the code had all weird names because of obfuscation.

The next step was to run the application and check when I get a dialog box for “Available only for paid customer”. The reason behind this was to get a callstack ,because all the methods names are jumbled and I didn’t know where to start.

When the messagebox popped up I attached the application to windbg and here is callstack

So my next step was to disassemble the call to “this.d.a()” and here is output from reflector

public class d : b
{
// Methods
public bool a()
{
return false;
}
}

And I was hoping there would be a class variable that I could update inside the debugger to activate the feature. Like I mentioned I before ,I couldn’t update the assembly using ILASM or anything, because the assemblies were signed and there wasn’t any class variable to update. This assembly was for the trial version consumers which were supposed to always return false.

But there was one trick that I had. I could update the register on the function return, So what I mean is, when the function “a” is invoked by the button click to validate the consumer , I would update the return register from false to true. By doing this my grid would be enabled and I circumvent the logic with the existing constraints.

So here are the steps to do it

So I looked for the type “d” !dumpheap -type d, remember the TrialCustomer class was the renamed to d by obfuscator .

Go the method table as 00146b9c from the above command , using the method table I had to get the entry address for the function public bool a() because the buttonclick was invoking the function.

I used the command !dumpmt -md 00146b9c to get the entry address for d.a() and here was the entry address 001b0540 .

The idea behind getting the address was to set a break-point on 001b0540 . I used the command bp 001b0540 . So when the break-point hits I would create another break-point for the function return, which is stored in the register @esp bp poi(@esp). So what bp poi(@esp) essentially means is, create a break-point on the return of function , it is almost like having a break-point on the last line inside a function within VS.NET.

So when the break-point hits for the function return ,the return value is stored in the @eax register and here is the output

Now the trick is to update the @eax register from 00000000 to 00000001, by doing this we are changing the value from false to true, using the command “r eax=00000001” and here is the output after updating the register